Courts Cast Wary Eye on Evidence Gleaned From Cell Phones

The afternoon of Sept. 18, 1993, someone set fire to a notorious Los Angeles drug house near the University of Southern California, killing an addict. Four years later, R&B singer Waymond Anderson was convicted of the murder, based on the shaky testimony of two eyewitnesses, and on a third, silent witness whose implacable digital testimony the defense didn't dare challenge: Anderson's cell phone.

This article has been reproduced in a new format and may be missing content or contain faulty links. Contact wiredlabs@wired.com to report an issue.

A police forensics expert told the jury that call logs proved Anderson was in the neighborhood at the time of the murder, and that he even made a phone call through a cell tower located just a quarter-mile from the blaze. Anderson's lawyer didn't attempt to question what was then bleeding-edge scientific evidence. "Nobody challenged the officer in the investigation," says David Bernstein, Anderson's new attorney. "Probably because cell phones were such a new technology."

Now down 13 years on a life sentence, Anderson has his first shot at freedom. The two eyewitnesses have recanted. And using information about cell-phone tower locations with some sleuthing on MapQuest, Bernstein recently showed an appeals court that Anderson's cell phone was in a car driving away from the site of the crime at the time the arsonist was splashing gasoline around the converted garage. The closest transmitter the phone passed was a mile away from the crime, not a quarter-mile as the police claimed; and by the time the fire was hurling black smoke into the south Los Angeles sky, Anderson's phone was linking with a different transmitter six miles away, in Chinatown.

Based on this new information, a three-judge panel of the California 2nd District Court of Appeal ordered the case reopened last month, and gave the Los Angeles court that convicted Anderson until August to hold hearings on the new evidence, or release Anderson.

The Anderson appeal may be the first chink in the formerly invincible armor of cell-phone forensics at trial. Over the past decade, law enforcement at all levels has been turning to mobile gear for crucial evidence in criminal and civil investigations. "One of the first things that's looked at is a cell phone now," explained National Institute of Standards and Technology researcher Wayne Jansen. But with unclear forensic standards for gathering such evidence, and investigators often resorting to ad hoc tools and procedures, cell data seems likely to face new hurdles in the courtroom.

It's easy to see the appeal of cell-phone evidence. The memory cards in the phones are packed with useful information: everything from contact lists and SMS messages — including deleted text — to call logs, and data about locations where the phone has been, all of which can be readily accessed with the right software and a court order. And with the advent of camera phones capable of snapping photos and saving short video snippets, the cell phone is morphing into a one-stop multimedia evidence kit.

"People seem to take joy in recording their crimes to their mobiles," said Lester Wilson, managing director of Crownhill, a company that makes a forensic tool for snarfing evidence off SIM cards in cell phones. "Anything you can think of — street robbery, kidnapping, sex crimes — they're taking pictures," said Wilson, whose work for the London police has required him to extract data from SIM cards "covered in blood, or bitten."

In 2005, two high-profile murder cases were solved with cell evidence. Piper Roundtree was convicted of killing her ex-husband after examination of her phone placed her in his vicinity at the time of the murder; and Daryl Littlejohn, a New York City bouncer, is charged with murdering student Imette St. Guillen after his cell showed that he'd made a call on the night of the murder near the spot where police later located the body. And it's not always the perp whose phone holds the evidence, said Wilson. "Say you find a dead body in a river. Using forensic techniques on their mobile, you can locate where they were thrown in the water, because that's probably the moment the phone stopped working."

According to the GfK Group, an international market-research organization, 1 billion cell phones were sold worldwide in 2006 — up from 812 million in 2005. Shadowing that growth is a niche industry specializing in selling mobile-forensics tools to police and others. Amber Schroader, CEO and chief architect at Utah-based Paraben said her company's most popular product is such a tool, called Device Seizure. "We sell hundreds of units per month, mostly to law enforcement," she said. Using Device Seizure, or dozens of other software packages like it, law enforcement officers can instantly drag and drop data from phones into tamper-proof evidence files.

But many of the tools that investigators use to extract evidence are not designed to be forensically sound; put simply, they don't always have built-in features to prevent evidence tampering. Oxygen's Mobile Phone Manager is a phone-syncing tool that was used for at least two years by law enforcement to gather evidence. But it wasn't until April that the company released a tamper-resistant "forensic" version of the software that saves a cryptographic hash of the data it sucks from a cell phone, allowing investigators to later verify that nothing's changed.

How did Oxygen's law enforcement users secure the chain of custody in data before Oxygen Forensic? Company spokesman Oleg Fedorov wrote in e-mail, "I can't say precisely how they protected data from tampering. I can only suggest they didn't change any information and didn't press the 'Write' button."

Another problem is that the market is glutted with so many different types of cell phones, so there will always be some models for which no existing forensic tools work. In that case, "Sometimes the best tools are hacker tools, as long as they've been thoroughly examined and reverse-engineered," said Jansen, who helped write NIST's official recommendations (.pdf) for documenting the chain of evidence and creating tamper-proof files when searching a cell phone.

Even the best forensic practices will face a daunting challenge as more complex mobiles become vulnerable to tampering before they're seized as evidence. It's relatively easy for an adversary with a bluetooth device to plant new addresses in a bluetooth-enabled phone's contact list, or even place bogus calls from the phone. Keith Thomas, a cell-phone forensics expert with First Advantage Litigation-Consulting, said this is where the real problem for investigators will begin — when courts start to realize that evidence from cell phones isn't any more foolproof than what's found on computers.

"There is always a question about who put stuff on your computer," Thomas said. "But on a cell, it's nothing but personalized — you can get the telephone numbers the person called and verify when that person was on the phone. For right now there are less questions about who had access to the phone." But, he acknowledged, there will be more, "as soon as people realize there are other means of putting data on the phone."

Here’s The Thing With Ad Blockers

We get it: Ads aren’t what you’re here for. But ads help us keep the lights on. So, add us to your ad blocker’s whitelist or pay $1 per week for an ad-free version of WIRED. Either way, you are supporting our journalism. We’d really appreciate it.